WebApp Sec mailing list archives
Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ...
From: Amir Herzberg <herzbea () cs biu ac il>
Date: Mon, 25 Oct 2004 09:13:03 +0200
"David Wall @ Yozons, Inc." responded to me:
and most visible and sensitive web sites still ask users to enter passwords into unprotected web forms - making it trivial for attackers to emulate these pages and steal passwords. These include PayPal, chase, Microsoft's passport, Yahoo!, eBay, TD Waterhouse,... (I've checked most of them about a month ago and this was still the case; I've checked PayPal today...)Your tool may be nice, but Paypal does redirect to an SSL site if you typein paypal.com or www.paypal.com and if you click the "log in" link.
PayPal redirects to SSL site once you hit the `log in` link, but it also asks users for userid and password directly at its (unprotected) homepage, http://www.paypal.com. The same holds for Chase, Yahoo! etc (see screen shots and links from the paper, http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm). Some of them (e.g. Chase) are especially misleading as they display a padlock next to the `login` button, which users may interpret as `this is protected`. But of course these pages are not protected at all so they are trivial to spoof (and collect the passwords).
Of course, this helps, but since most web users are not savvy and don't useyour tool, such a "fix" rarely helps.
Exactly my point. Conclusions:1. Web users should be encouraged to use TrustBar (or browsers, or add-ins, providing equivalent functionality). 2. Browser developers should incorporate TrustBar (or equivalent mechanisms). This should be easy, esp. since our project is open-source (http://trustbar.mozdev.org) and as far as I know patent-free. 3. Web site designers should be more sensitive to this threat... It is amazing that such major sites have such obvious and trivial to fix vulnerabilities, and noticed I've informed them all; the only positive response I got was some discount vouchers from TD Waterhouse - but really I would have preferred, if they also acted on my trivial recommendation...
Here you are wrong; the problem is at the mail paypal site so many users - even not naive - may reach this site.After all, someone who is naive enough to follow such paypal links probably doesn't know anything about keeping themselves safe online, which is why they are targeted.
Best, Amir Herzberg http://AmirHerzberg.com Associate Professor, Computer science department, Bar Ilan University
Current thread:
- Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ... Amir Herzberg (Oct 25)
- RE: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ... Yvan G.J. Boily (Oct 28)